Strategic Supplier Risk Management: Value Beyond the Assessment



By Chris Murphey


Key Thoughts on Supplier Risk Management

Key Thoughts on Supplier Risk Management 


Vendor risk management is an important consideration across the organization, not only for the technology team. It has ramifications that extend beyond assessing the security posture of the vendors and suppliers you’re working with. And it impacts the business side of the house, since it can help you manage limited resources and control costs. Sometimes, the best approach on your vendor risk management checklist is for your organization is to reassess your current vendor ecosystem to narrow your supply or service chain. Knowing which vendors to cut and which to keep is the multimillion-dollar question.

You probably do your own similar strategic risk assessments in everyday life, too. It’s like having a trusted neighbor who you share house keys with. It’s convenient in case you lock yourself out, need him to check on your cat or water your plants while you’re away, or let the cable guy in while you’re at work. But would you give a key out to two neighbors, or three, or even ten? Suddenly, you have a house-key management nightmare on your hands. You’re not sure who has access to your home, if they’ve lost your keys and you’ll have to incur an expense to replace them, or whether that tenth neighbor who lives six miles away is really adding any value to the situation. It’s nice to have a backup, but at what cost?


When It Makes Sense to Narrow Your Vendor Supply Chain


There are times throughout every organization’s supplier risk management lifecycle when it makes sense to reassess who you’re working with and evaluate their value to the business based on vendor risk management best practices. The situation could be:


  • Reactive: Your organization may be going through a cost-cutting initiative. Procurement will ask you to review the list of suppliers to see who can be cut to boost the bottom line. 


  • Proactive: The security organization may be managing vendor-by-vendor and risk-by-risk—which drains your team’s time and available resources. By being proactive rather and taking a holistic view of the suppliers you’re working with, you can win from a risk-reduction standpoint. It also gives you chance to build bridges with the business and win friends in procurement, if you approach them first and coordinate your efforts for a better outcome.


  • Business-Driven: In some cases, the initiative to narrow the vendor supply chain is driven by the business, rather than procurement or security. A good example of this would be someone managing a call center that provides worldwide coverage and needs deep outsourcing support. Narrowing the pool of vendors can make management easier, and also yield a better cost structure since the vendors you do keep may be able to offer you a volume discount since they’re now getting more work from you.


  • Situational: Situational drivers for narrowing down your vendor list may be less common, but still important. M&A is a good example of this. It can help two parties in a merger get a feel for where vendors may overlap and how to streamline their lineup.


Data Drives the Conversation for Supplier Risk Management


Regardless of the impetus behind the move to narrow your vendor supply chain, you’ll need to identify the appropriate candidates to sever ties with and rationalize your decision. Data is key to a productive conversation with other parts of the business.

We’ve been working with organizations across industries to help them build out dashboards and reports to do exactly that—rack and stack suppliers based on how risky they are compared to the value they bring. This then helps the security organization, procurement, and the business to make an informed decision about narrowing the vendor ecosystem. The solution brings together a 360-degree view of the vendor, including security and compliance controls, deficiencies, and third-party sourced data. These all give you a better picture of the security profile, financial risk indicators, and negative brand reputation of the suppliers you’re working with, or could work with. 

Now, if only there was an equally powerful tool for deciding which neighbor to lend your house key to, we’d all sleep a little better at night.